1) Is my CPU too slow for clamav ? 2) target category

AC439

I have been using PFsense for a few years and recently did a fresh install 2.3 (32bits) on a AMD Sempron 3100+ with 2GB of RAM.

My internet is only 25/3 and I have squid3 (0.4.16.2), ClamAV and squidguard (1.14_3) enabled.

1. In ClamAV, I always get this message - WARNING: Local version: 0.99 Recommended version: 0.99.2,  I know this refers to the engine and I'm getting virus definition update.  The system tries to update ClamAV engine on a schedule.  Not sure if there is a way to turn off the engine update but leave the virus definition update active ?

Also, every time my WAN link goes down and comes back up (momentary), the pfsense machine becomes very slow for a few minutes.  The web interface would not be responsive and I have no internet access.  When it started to have a little response, I checked the system activity and the top 7-8 lines are mostly processes related to ClamAV or clamd etc using all the CPU power (the [idle] was not seen or very close to 0%.  Eventually the % of CPU [idle] will goes back up and things becomes normal after a few mins.  When I turned off ClamAV, this problem will go away.

In my previous pfsense installation (2.1.5), I did not have this problem.  But HAVP was used instead.  Is my CPU too slow for ClamAV since it is an old Sempron single core ?

2. I have a target category added and I put some domain names in it.  Then I went to commom ACL and deny this category.  But when I tested it on a browser, it does not block it.  For example, I have 7search.com in the target category.  The target category is listed at the top under commom ACL and set to [deny].  But when I opened a browser and typed in 7search.com, it will still open that web site.  Did I miss something ?  What should I check ?

Oh, btw, is the shallalist down ?

Thanks.

Nachtfalke

Hi,

2. • squidguard:
     Do you have something else configured on CommonACL which has "Whitelist"? In general you probabaly hav "Default access" set to "Allow", other categories set to "deny" or "–-" and the additional "Target List" as "whitelist", right?

Further make sure, after you added the new target categorie to "Common ACL" you have to click "Save" and then "Apply" on the squidguard "General Settings" tab to activate your changes.

1. • ClamAV
     Needs RAM and CPU power. You probably have to disable some checks or filesize. But perhaps some other options can increase speed:

squidclamav.conf:
dnslookup 0
safebrowsing 0

c-icap.conf
StartServers 10
MaxServers 50
MinSpareThreads    15
MaxSpareThreads    30
ThreadsPerChild    10
MaxRequestsPerChild  300  # helps to avoid memory leaks

clamd.conf
MaxConnectionQueueLength 50  # I decreased the length and allowed more threads
MaxThreads 50                  # more threads but less connections per thread --> more parallel processing
MaxQueue 200

If it then still does not peform well/better then you probably have to disable checks starting from this entry in clamd.conf:

Executable files

Regards

AC439

Thanks for reply.

Squidguard:- I dont have anything under common ACL as whitelist.  Default (listed at the bottom) access has been set to allow.  Other categories (from shalla list) mostly set to "–-" but advertisement and several set to deny.  My custom list is at the very top and I set it to deny.  Of course, have saved and apply and reboot many times.  Still doesn't work.

ClamAV:- I figured this is a CPU intensive package but I have 2GB of RAM and don't think I need more than that.  I have just installed pfsense (AMD64) on another Sempron box with similar speed but a 64 bit processor.  Put the same packages on and restored the same config to the new box.  It seems to run better and less max out on CPU.  I think I need to eventually build another box which has better CPU power but use less electricity.

About the parameters, I think I have to learn VI editor first before I can mess around with them.  Seems like most of them cannot be configured via web interface.

Regards.
AC

AC439

ok, just poked around more and the URL filtering is mysteriously working so I'm good with that part.  thanks.

Nachtfalke

Hi,

all ClamAV options I posted above can be done via WebUI. You just have to enable the advanced options for Antivirus. To do this go to:

squid –> Antivirus --> Click one time on "Load advanced" and then  on the bottom of the page you can see all the necessary files or at least the "show advanced options" button.
So you can edit everything via the WebUI. But perhaps this is not necessary as you found out that it performas better with newer hardware.

But before changing your hardware you should compare the pros and cons of Antivirus in squid. If you have really advantages of such a feature or if it is enough to have a goof antivirus on your desktop.

Regards

AC439

Thanks for information.

Someone just gave me a core 2 duo machine which I will put pfsense on it.  After this, I may move on to a 1037u machine to save power consumption.

I don't know if firewall/router level antivirus is necessary but I think its good to have another layer of protection, isn't it ?

Best regards.

Nachtfalke

Of course it is. The chance is higher to find a virus, trojan and so on earlier the more security features and tools you are using.
Just want to give you an additional argument to decide if it is worth to buy new hardware only for ClamAV or if there are other possibilities to secure your network.